July 2024 is an Important Month for U.S. Privacy: Here’s What You Need to Know About Four New State Laws
Over the last few years, around 20 U.S. states have passed comprehensive privacy legislation, causing businesses to make fundamental changes to how they collect and use their customers’ data.
July was a big month for U.S. privacy law, as some of these new laws took effect in Texas, Oregon, and Florida, and new rules on targeted advertising kicked off in Colorado.
These changes will impact thousands of companies based all over the world. Here’s a rundown of July’s U.S. privacy milestones and some tips on what to do if you’re affected.
Texas Data Privacy and Security Act (TDPSA)
The Texas Data Privacy and Security Act (TDPSA) took effect on July 1, 2024, bringing new obligations to thousands of businesses.
The TDPSA has an unusually broad application. Companies of all sizes are covered (subject to exemptions), as long as they do business in Texas or produce products or services “consumed by” Texas residents, and process personal data (practically every company does this).
There’s only one rule for “small businesses” (currently defined as businesses with under 500 employees): Don’t sell sensitive data without consent.
But other companies face many additional obligations, including:
- Comply with consumer rights to access, correct, delete, and export their personal data
- Conducting a “data protection assessment” before engaging in certain risky processing activities
- From January 1, 2025: Allowing consumers to opt out of targeted ads via a Universal Opt Out Mechanism (UOOM).
That last requirement, processing “UOOMs”, will affect the largest number of businesses as it could apply whenever a Texas resident visits your website. We’ll look at what this obligation means in more detail below.
Oregon Consumer Privacy Act (OCPA)
The Oregon Consumer Privacy Act (OCPA) also took effect on July 1—the same day as the TDPSA. Oregon’s new privacy law looks a lot like Texas’s, but there are some important differences.
Firstly, the OCPA applies to organizations that conduct business in Oregon or “provide products or services” to Oregon residents, and either:
- Controlled or processed the personal data of 100,000 or more Oregon consumers (excluding payment transactions) or
- Both:
- Controlled or processed the personal data of 25,000 or more Oregon consumers, and
- Derived 25% or more of its annual gross revenue from selling personal data
As usual, certain organizations are exempt from the OCPA. But unlike most other comprehensive privacy laws, the OCPA applies to most non-profits (except certain non-profits in the insurance and broadcasting sectors).
Like Texas, Oregon will require businesses to uphold consumer privacy rights, conduct assessments of risky data processing activities, and allow consumers to opt out of targeted ads via a browser or device-based UOOM.
But the OCPA has one unusual requirement: Businesses must tell consumers, on request, every specific third party to which they disclose personal data.
This requirement could be challenging for many businesses. A Live Data Map can reveal how personal data flows through your systems, helping you control data risks and explain your practices to consumers where required.
Florida’s Digital Bill of Rights
Florida gave effect to its Digital Bill of Rights on July 1, which brings residents new rights over their personal data—but will mostly impact big tech firms.
Unless your company has annual revenues of over $1 billion and operates an app marketplace, social media network, or smart speaker, you probably don’t need to worry about Florida’s new privacy law.
But it’s still highly significant that Florida has joined the many states across the U.S. that are strengthening their privacy legislation. Consumers are demanding better protection over their personal data—and both lawmakers and businesses are responding.
Colorado’s new online tracking rules
Most of Colorado’s comprehensive privacy law, the Colorado Privacy Act (CPA), took effect in July 2023. But one section took effect on July 1, and it has major implications for any business covered by the law.
Colorado now requires businesses to process consumers’ requests to opt out of certain uses of their data via Global Privacy Control (GPC), the most widely-used UOOM.
If a Colorado consumer visits your website, and you’re covered by the CPA, your website must check whether they are using GPC to broadcast a “Do Not Sell” signal. If so, you must not:
- Sell the consumer’s personal data, or
- Use the consumer’s personal data for targeted ads
Colorado isn’t the first state to require businesses to process GPC signals—it’s been a legal requirement for several years under the California Consumer Privacy Act (CCPA). In 2022, California reached a $1.2 million settlement with cosmetics retailer Sephora, partly because the company ignored GPC signals.
But even two years on, many other companies are making the same mistake. DataGrail research found that 75% of websites ignore GPC signals and are therefore unready to comply with these rules.
Along with Texas, Oregon, Colorado, and California, UOOM requirements will kick in across many other states over the next few years, including Connecticut, Montana, New Jersey, and more. Using a consent management platform can help you stay compliant with this coming wave of new laws.
US Privacy in July 2024: Key Takeaways
July 2024 was a big month for U.S. privacy: New laws took effect in Texas, Oregon, and Florida, and Colorado’s “UOOM” rules kicked in.
These new laws require thousands of businesses to better protect personal data, facilitate consumers’ privacy rights requests, and let consumers opt out of targeted advertising.
Privacy is getting complicated—but there are tools available to simplify compliance:
- Use data mapping software to automatically reveal where personal data lives in your systems
- Implement a data subject request manager to handle consumer privacy requests
Use a no-code consent management platform to ensure your website meets new opt-out requirements